EXECUTIVE SUMMARY:
In a recent security incident, researchers identified and mitigated an attack exploiting vulnerabilities such has CVE-2024-57726 , CVE-2024-57727, CVE-2024-57728 in SimpleHelp's Remote Monitoring and Management (RMM) client. The threat actors initiated their breach by connecting to an endpoint through a compromised SimpleHelp RMM client, specifically the JWrapper-Remote Access application, from an IP address based in Estonia. Upon gaining access, they quickly executed a series of discovery commands to gather system details, user accounts, and network information. This reconnaissance was followed by the creation of a new administrator account named 'sqladmin' to facilitate further malicious activities. The attackers then deployed a backdoor named 'agent.exe,' identified as a variant of the Sliver post-exploitation framework, to establish persistent access within the network.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
In a recent security incident, researchers identified and mitigated an attack exploiting vulnerabilities such has CVE-2024-57726 , CVE-2024-57727, CVE-2024-57728 in SimpleHelp's Remote Monitoring and Management (RMM) client. The threat actors initiated their breach by connecting to an endpoint through a compromised SimpleHelp RMM client, specifically the JWrapper-Remote Access application, from an IP address based in Estonia. Upon gaining access, they quickly executed a series of discovery commands to gather system details, user accounts, and network information. This reconnaissance was followed by the creation of a new administrator account named 'sqladmin' to facilitate further malicious activities. The attackers then deployed a backdoor named 'agent.exe,' identified as a variant of the Sliver post-exploitation framework, to establish persistent access within the network.[emaillocker id="1283"]
The technical analysis revealed that the 'agent.exe' backdoor was configured to communicate with command-and-control (C2) servers located in the Netherlands, using HTTPS on port 443. The backdoor had capabilities such as process injection, service manipulation, and file system access. Following the initial compromise, the attackers focused on the organization's domain controller (DC). They established a connection via the vulnerable SimpleHelp RMM client on the DC, executed similar discovery commands, and created another administrator account named fpmhlttech. Instead of deploying the same backdoor, this time they installed a Cloudflare tunnel, masquerading as the legitimate Windows 'svchost.exe' process, to maintain covert access and potentially carry out further malicious activities.
A security solution detected and blocked the attempted execution of the Cloudflare tunnel, isolating the compromised system from the network. This quick intervention prevented the attackers from downloading and installing additional payloads, which could have escalated to a ransomware attack. A post-incident assessment revealed that the victim organization had not addressed a prior alert regarding vulnerable SimpleHelp RMM software in their environment, highlighting the importance of responding to security advisories. This incident shows how attackers are actively exploiting SimpleHelp RMM vulnerabilities to gain unauthorized access to target networks. Organizations using SimpleHelp are strongly advised to update their RMM clients and consider implementing strong cybersecurity measures to defend against such threats.
THREAT PROFILE:
| Tactics | Technique ID | Technique |
| Initial Access | T1078 | Valid Accounts |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1136 | Create Account |
| Privilege Escalation | T1078 | Valid Accounts |
| Defense Evasion | T1218 | System Binary Proxy Execution |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| Lateral Movement | T1570 | Lateral Tool Transfer |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
We Recommend to refer for the existing made advisory for patches the link is mentioned below:
https://advisory.eventussecurity.com/advisory/simplehelp-rmm-security-flaws-exploited-in-active-malicious-campaign/